Note
Access to this page requires authorization. You can try signing in or changing directories.
Access to this page requires authorization. You can try changing directories.
This article describes the cloud IAM roles and permissions required to onboard and operate Microsoft Defender for Containers in Amazon Elastic Kubernetes Service (EKS) and Google Kubernetes Engine (GKE) environments.
These permissions apply to cloud connectors, Azure Arc provisioning, agentless threat protection, and registry integration features.
Permissions required by feature
| Defender for Container feature | Component | Required Role |
|---|---|---|
| GKE runtime protection GKE workload hardening Runtime vulnerability assessment (optional) |
GKE Arc provisioning (for Defender agent and Azure policy agent) | Azure Arc role: Defender Kubernetes Agent Operator GCP predefined role: Kubernetes Engine Admin OR Kubernetes Engine Viewer (if only Agentless threat protection and/or Kubernetes API access extension are enabled) |
| EKS runtime protection GKE workload hardening Runtime vulnerability assessment (optional) |
AWS Arc provisioning (for Defender agent and Azure policy agent) | Azure Arc role: Defender Kubernetes Agent Operator AWS role: AzureDefenderKubernetesRole |
| GKE control plane hardening - Agentless threat protection | GKE AuditLogs provisioning | See GCP Agentless threat protection permissions |
| EKS control plane hardening - Agentless threat protection | AWS AuditLogs provisioning | See AWS Agentless threat protection permissions |
Azure Arc provisioning role for EKS and GKE
The Azure Arc built-in role Defender Kubernetes Agent Operator to provision the Defender agent and Azure policy agent has the following permissions:
- Microsoft.Authorization/*/read
- Microsoft.Insights/alertRules/*
- Microsoft.Resources/deployments/*
- Microsoft.Resources/subscriptions/resourceGroups/read
- Microsoft.Resources/subscriptions/resourceGroups/write
- Microsoft.Resources/subscriptions/operationresults/read
- Microsoft.Resources/subscriptions/read
- Microsoft.KubernetesConfiguration/extensions/write
- Microsoft.KubernetesConfiguration/extensions/read
- Microsoft.KubernetesConfiguration/extensions/delete
- Microsoft.KubernetesConfiguration/extensions/operations/read
- Microsoft.Kubernetes/connectedClusters/Write
- Microsoft.Kubernetes/connectedClusters/read
- Microsoft.OperationalInsights/workspaces/write
- Microsoft.OperationalInsights/workspaces/read
- Microsoft.OperationalInsights/workspaces/listKeys/action
- Microsoft.OperationalInsights/workspaces/sharedkeys/action
- Microsoft.Kubernetes/register/action
- Microsoft.KubernetesConfiguration/register/action
AWS Agentless threat protection permissions
AzureDefenderKubernetesRole (default role name: MDCContainersK8sRole):
sts:AssumeRole
sts:AssumeRoleWithWebIdentity
logs:PutSubscriptionFilter
logs:DescribeSubscriptionFilters
logs:DescribeLogGroups
logs:PutRetentionPolicy
firehose:*
iam:PassRole
eks:UpdateClusterConfig
eks:DescribeCluster
eks:CreateAccessEntry
eks:ListAccessEntries
eks:AssociateAccessPolicy
eks:ListAssociatedAccessPolicies
sqs:*
s3:*
AzureDefenderKubernetesScubaReaderRole (default role name: MDCContainersK8sDataCollectionRole):
- sts:AssumeRole
- sts:AssumeRoleWithWebIdentity
- sqs:ReceiveMessage
- sqs:DeleteMessage
- s3:GetObject
- s3:GetBucketLocation
AzureDefenderCloudWatchToKinesisRole (default role name: MDCContainersK8sCloudWatchToKinesisRole):
- sts:AssumeRole
- firehose:*
AzureDefenderKinesisToS3Role (default role name: MDCContainersK8sKinesisToS3Role):
MDCContainersAgentlessDiscoveryK8sRole
- sts:AssumeRoleWithWebIdentity
- eks:UpdateClusterConfig
- eks:DescribeCluster
- eks:CreateAccessEntry
- eks:ListAccessEntries
- eks:AssociateAccessPolicy
- eks:ListAssociatedAccessPolicies
MDCContainersImageAssessmentRole
- sts:AssumeRoleWithWebIdentity
- The permissions of these assumed roles: AmazonEC2ContainerRegistryPowerUser & AmazonElasticContainerRegistryPublicPowerUser
GCP Agentless threat protection permissions
MicrosoftDefenderContainersDataCollectionRole
- pubsub.subscriptions.consume
- pubsub.subscriptions.get
MicrosoftDefenderContainersRole
- logging.sinks.list
- logging.sinks.get
- logging.sinks.create
- logging.sinks.update
- logging.sinks.delete
- resourcemanager.projects.getIamPolicy
- resourcemanager.organizations.getIamPolicy
- iam.serviceAccounts.get
- iam.workloadIdentityPoolProviders.get (all the logs that go to Pub/Sub)
MDCCustomRole
- resourcemanager.folders.get
- resourcemanager.folders.list
- resourcemanager.projects.get
- resourcemanager.projects.list
- serviceusage.services.enable
- iam.roles.create
- iam.roles.list
- compute.projects.get
- compute.projects.setCommonInstanceMetadata
MDCCspmCustomRole
- resourcemanager.folders.getIamPolicy
- resourcemanager.folders.list
- resourcemanager.organizations.get
- resourcemanager.organizations.getIamPolicy
- storage.buckets.getIamPolicy
MDCGkeContainerInventoryCollectionRole
- container.nodes.proxy
- container.secrets.list
Permissions granted in cloud environments
When you onboard AWS or GCP environments to Microsoft Defender for Cloud, a deployment script is generated to create the required IAM roles based on the selected access model:
- Default Access supports all current and future extensions of the selected Defender plans.
- Least Privileged Access grants only the permissions required to support the currently enabled extensions.
The following tables show the permissions granted to Defender for Containers roles, depending on the selected access model.
AWS default access
| Role Name | Associated Policies / Permissions | Capabilities |
|---|---|---|
| MDCContainersImageAssessmentRole | AmazonEC2ContainerRegistryPowerUser AWS permissions list AmazonElasticContainerRegistryPublicPowerUser AWS permissions list |
Agentless container vulnerability assessment. |
| MDCContainersAgentlessDiscoveryK8sRole | eks:DescribeCluster eks:UpdateClusterConfig eks:CreateAccessEntry eks:ListAccessEntries eks:AssociateAccessPolicy eks:ListAssociatedAccessPolicies |
Agentless discovery of Kubernetes. Updating EKS clusters to support IP restriction |
AWS least privileged access
| Role Name | Associated Policies / Permissions | Capabilities |
|---|---|---|
| MDCContainersImageAssessmentRole | AmazonEC2ContainerRegistryReadOnly AWS permissions list AmazonElasticContainerRegistryPublicReadOnly AWS permissions list |
Agentless container vulnerability assessment. |
| MDCContainersAgentlessDiscoveryK8sRole | eks:DescribeCluster eks:UpdateClusterConfig |
Agentless discovery of Kubernetes. Updating EKS clusters to support IP restriction |
GCP default access
| Service Account Name | Associated Roles / Permissions | Capabilities |
|---|---|---|
| mdc-containers-artifact-assess | Roles/storage.objectUser GCP permissions list Roles/artifactregistry.writer GCP permissions list |
Agentless container vulnerability assessment. |
| mdc-containers-k8s-operator | Roles/container.viewer GCP permissions list Custom role MDCGkeClusterWriteRole [Custom Role] with permission container.clusters.update |
Agentless discovery of Kubernetes Updating GKE clusters to support IP restriction |
GCP least privileged access
| Service Account Name | Associated Roles / Permissions | Current Capabilities |
|---|---|---|
| mdc-containers-artifact-assess | Roles/artifactregistry.reader GCP permissions list Roles/storage.objectViewer GCP permissions list |
Agentless container vulnerability assessment. |
| mdc-containers-k8s-operator | Roles/container.viewer GCP permissions list Custom role MDCGkeClusterWriteRole with permission container.clusters.update |
Agentless discovery of Kubernetes. Updating GKE clusters to support IP restriction |